https://www.cvehunters.com/p/cve-2026-40282/Cross-Site Scripting (XSS) Storedhttps://www.cvehunters.com/p/cve-2026-40282/https://www.cvehunters.com/p/cve-2026-40282/<h2 id="cve-2026-40282-cross-site-scripting-xss-stored-in-intercorrencia_visualizarphp">CVE-2026-40282: Cross-Site Scripting (XSS) Stored in <code>intercorrencia_visualizar.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40282" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40282</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the user name field, which is displayed in system notifications and accepts user-controlled input. An attacker can inject malicious HTML or JavaScript into this field when creating or modifying a user.</br></br>When an “intercorrência” is registered, a notification is generated. Upon clicking this notification, the application renders the user name in the interface without proper escaping, causing any injected code to be executed in the browser.</br></br>This behavior demonstrates improper output encoding, resulting in a Stored XSS vulnerability.</p><h2 id="cve-2026-40282-cross-site-scripting-xss-stored-in-intercorrencia_visualizarphp">CVE-2026-40282: Cross-Site Scripting (XSS) Stored in <code>intercorrencia_visualizar.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40282" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40282</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the user name field, which is displayed in system notifications and accepts user-controlled input. An attacker can inject malicious HTML or JavaScript into this field when creating or modifying a user.</br></br>When an “intercorrência” is registered, a notification is generated. Upon clicking this notification, the application renders the user name in the interface without proper escaping, causing any injected code to be executed in the browser.</br></br>This behavior demonstrates improper output encoding, resulting in a Stored XSS vulnerability.</p> <ul> <li>Vulnerable Endpoint: <code>intercorrencia_visualizar.php</code></li> </ul> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">1</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert("XSS")</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"><b>1.</b> Register a patient where the “Name” or "Sobrenome" field contains the payload.</br></br><b>2.</b> Add a "Intercorrência" entry for this user.</br></br><b>3.</b> Navigate to the "Intercorrências" notification page and click in "Recentes" and "Histórico. This vulnerability affects the both pages.</br></br><b>4.</b> Observe that the payload is executed in the browser:</p> <p><img src="/p/cve-2026-40282/image.png" width="603" height="330" srcset="/p/cve-2026-40282/image_hu_dfc5bc911aa9fe3a.png 480w, /p/cve-2026-40282/image_hu_581b1a4709b48d43.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="182" data-flex-basis="438px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r6h8-7vxv-q8pp" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r6h8-7vxv-q8pp</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/thiago50x50.png" loading="lazy" /></a> <a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" >Thiago Escarrone</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote>Fri, 17 Apr 2026 00:00:00 +0000